[kijin]

It's fairly resource-intensive, though. I've seen whole servers brought to their knees because of plugins like WordFence -- an unintentional DoS, so to speak. Many of the defenses employed by WordFence would be orders of magnitude more efficient if implemented at the level of the http daemon or firewall. Unfortunately, WordPress plugins must cater to the lowest common denominator, shared hosting.

[xenospn]

If what you’re dealing with is thousands of attempted brute force attacks on a daily or weekly basis, a wordpress plugin might not be the solution.

[kijin]

Sure, but you don't know that until the attacks actually begin, and anyone can attack any site for any reason these days. Meanwhile, most people who run WordPress sites don't know how to do anything more complicated than installing a plugin. Being a developer who caters to that market has its own charms and challenges.